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1 DETAILED ACTION 

2 

3 Claims 1 - 28 are pending. 
4 

5 Claim Rejections - 35 USC §112 

6 

7 The following is a quotation of the second paragraph of 35 U.S.C. 112: 

8 The specification shall conclude with one or more claims particularly pointing out and distinctly 

9 claiming the subject matter which the applicant regards as his invention. 
10 

1 1 Claims 2, 3, and 5 are rejected under 35 U.S.C. 112, second paragraph, as 

12 being indefinite for failing to particularly point out and distinctly claim the subject 

13 matter which applicant regards as the invention. 

14 



15 Claims 2, 3, and 5 each recites the limitation "the declaration module". There is 

16 insufficient antecedent basis for this limitation in the claim. For the purpose of 

17 examination, the examiner will presume the applicant to mean "the declarative module". 
18 

19 

20 Claim Rejections - 35 USC § 102 

21 

22 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 

23 form the basis for the rejections under this section made in this Office action: 

24 A person shall be entitled to a patent unless - 



> 
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1 (b) the invention was patented or described in a printed publication in this or a foreign country or in public 

2 use or on sale in this country, more than one year prior to the date of application for patent in the United 

3 States. 
4 

5 Claims 1-28 are rejected under 35 U.S.C. 102(b) as being anticipated by 

6 Scott et al. (Scott), "Abstracting Application-Level Web Security". 

7 

8 Regarding claim 1 , Scott discloses: 

9 receiving data input through a web page from a client device (fig. 1 , page 2, col. 

10 1 , par. 3-6); referencing a declarative module to determine a client input security screen 

1 1 to apply to the data input from the client device; and applying the client input security 

12 screen to the data input from the client device (page 3, col. 2, par. 2). 
13 

14 Regarding claims 2, Scott discloses: 

1 5 a global section that includes at least one client input security screen that applies 

16 to any type of client input value (fig. 2; page 6, col. 1 , par. 1 , 2, par. 2, lines 9-13). Scott 

17 discloses a input security screen that applied to all user input (parameters values). 
18 

19 Regarding claim 3, Scott discloses: 

20 an individual values section that includes at least one client input security screen 

21 that applies to a particular type of client input value (fig. 2; page4, col. 1, par. 4). 
22 

23 Regarding claim 4, Scott discloses: 

24 wherein the particular type of client input value is one of the following types of 

25 client input values: query string; server variable; form value; cookie (fig. 2). 
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1 

2 Regarding claim 5, Scott discloses: 

3 wherein the declaration module further comprises a web. con fig file (page 1 , col. 

4 2, par.3; page 3, col. 2, par. 1). 
5 

6 Regarding claim 6, Scott discloses: 

7 wherein the applying the client input security screen further comprises executing 



8 a default action on invalid client input detected by the client input security screen (page 

9 3, col. 2, par. 1, lines 8-13, par. 2, lines 5-11; page 4, col. 2, par. 3,4). Scott discloses 

10 the application of several types of input screening to all input data (default screening) 

1 1 wherein actions are performed on the all the input data during the process of data input 

12 security screening. Additionally, Scott discloses default transformations that can be 

13 applied during the screening of invalid input data. 
14 

15 Regarding claim 7, Scott discloses: 

16 wherein the applying the client input security screen further comprises executing 

1 7 a specified action on invalid client input detected by the client input security screen, the 

1 8 specified action being specified in the client input security screen (page 4, col. 1 , par. 4- 

19 6). 
20 

21 Regarding claim 8, Scott discloses: 
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1 wherein a client input security screen further comprises one or more values that 

2 may be entered as client input, the one or more values further comprising the only 

3 values that may be entered as client input (page 4, col. 1 , par. 4-6). Scott discloses a 

4 security screen that constrains client input to a set of values, such as any integer: 0 - int 

5 [length 4]. Thus, the security screen effectively comprises the values of 0 - int [length 

6 4] to be imposed upon the client input as a restriction. Additionally, Scott discloses that 

7 the security screen comprises specific URL values (extracted from HTTP requests) that 

8 may be entered as client input (page 6, col. 2, par. 1). 
9 



10 Regarding claim 9, Scott discloses: 

1 1 wherein a client input security screen further comprises one or more screened 

1 2 values that, when detected in the client input, cause an action to be taken on the client 

13 input (fig. 4; page 3, col. 2, par. 2; page 4, col. 2, par. 3). 
14 

15 Regarding claim 10, Scott discloses: 

1 6 wherein the action to be taken further comprises removing the one or more 



17 screened values detected in the client input (fig. 4; page 3, col. 2, par. 2; page 4, col. 2, 

18 par. 3, 4). Scott discloses the encoding of screened values (removal and replacement). 

19 Additionally, Scott discloses the removal of values from client input based upon the 

20 client input security screen (page 7, col. 2, par. 1.1 - 1.2) 
21 

22 Regarding claim 1 1 , Scott discloses: 
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1 wherein the action to be taken further comprises removing an entire string that 

2 contains the one or more screened values detected in the client input (page 6, col. 2, 

3 par. 3; fig. 5; page 9, col. 1, par. 2.2). 
4 

5 Regarding claim 12, it is the system claim corresponding to the method claim 1, 

6 and is rejected for, at least, the same reasons, and furthermore because Scott 

7 discloses: 

8 a web page server unit configured to provide one or more web pages to one or 

9 more client devices over a distributed network (fig. 1 ). 
10 

1 1 Regarding claims 13-15, they are rejected for, at least, the same reasons as 

12 claims 1 -3, and 12. 
13 

14 Regarding claim 16, Scott discloses: 

1 5 wherein a screening rule further comprises a client input variable that may be 

16 accepted as input from a client (fig. 5). Scott discloses various screening rules that 

1 7 accept client input variables. 
18 

19 Regarding claim 17, Scott discloses: 

20 wherein a screening rule further comprises one or more screened characters 

21 that, when detected in client input, are screened from the client input according to a 

22 screening rule (fig. 5 - see transformation). 
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1 

2 Regarding claim 18, Scott discloses: 

3 wherein the screening rule further comprises a default screening action that is 

4 applied in the absence of a specified screening action (fig. 5 - see transformation). 

5 Scott discloses a single screening action that is to be performed, and thus, a default 

6 screening action. 
7 



8 Regarding claim 19, Scott discloses: 

9 wherein the screening rule further comprises a specified screening action that is 

1 0 applied to the screened client input (fig. 5 - see transformation). Scott discloses a 

1 1 single specific screening action that is to be performed. 
12 

13 Regarding claim 20, it is rejected for, at least, the same reasons as claim 5. 

14 

15 Regarding claim 21, Scott discloses: 

1 6 serving a web page to a client over a distributed network; receiving client input 

17 via the web page (fig. 1 , page 2, col. 1 , par. 3-6); comparing the client input with one or 

1 8 more client input security screens stored in a security declaration module; if invalid 

1 9 client input is detected, performing a screening action on the invalid client input as 

20 indicated by the security declaration module (page 3, col. 2, par. 2; page 4, col. 2, par. 

21 3; page 6, col. 1 , par. 1 , 2; fig. 5); and wherein the one or more input security screens 
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1 included in the security declaration module can be applied to multiple web pages (page 

2 4, col. 1, par. 2). 

3 Furthermore, Scott discloses a computer system, and thus discloses media and 

4 instructions (fig. 1). 
5 

6 Regarding claims 22 - 25, they are the media and instruction claims 

7 corresponding to the method and system claims of 2, 3, 5 -7, 18, and 19, and they are 

8 rejected for, at least, the same reasons. 
9 

10 Regarding claim 26, Scott discloses: 

1 1 wherein the screening action further comprises a default action that is not 

1 2 required to be specified in a client input security screen (page 6, col. 1 , par. 1,2). 
13 

14 Regarding claims 27 and 28, Scott discloses: 

1 5 wherein the multiple web pages are included in a web project and wherein the 



16 multiple web pages are included in a web-based application (Abstract; Introduction; fig. 

17 1; section 3.1; page 4, col. 1, par. 2; page 6, col. 1, par. 2, col. 2, par. 1). Scott 

18 discloses a security policy to be applied to a large web-application, the policy 

19 comprising rules for the web pages of a site. The web pages are associated with a web 

20 application, thus, they are included in a web project/application. 
21 

22 
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1 Conclusion 

2 

3 Claims 1 - 28 are rejected. 

4 

5 The prior art made of record and not relied upon is considered pertinent to 

6 applicant's disclosure: 
7 

8 See Notice of References Cited 

9 

10 A shortened statutory period for reply is set to expire 3 months (not less than 90 

1 1 days) from the mailing date of this communication. 

12 Any inquiry concerning this communication or earlier communications from the 

1 3 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

14 7965. The examiner can normally be reached on 8:30-5:00. 

1 5 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

16 supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 

17 number for the organization where this application or proceeding is assigned is (703) 

18 872-9306. 



Application/Control Number: 10/606,089 
Art Unit: 2137 



Page 10 



Information regarding the status of an application may be obtained from the 



2 Patent Application Information Retrieval (PAIR) system. Status information for 

3 published applications may be obtained from either Private PAIR or Public PAIR. 

4 Status information for unpublished applications is available through Private PAIR only. 

5 For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

6 you have questions on access to the Private PAIR system, contact the Electronic 

7 Business Center (EBC) at 866-217-9197 (toll-free). 



9 

10 
11 
12 
13 
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